How can I add JsafeJCE cipher suite to Lucee 4.5 for updated PayPal RESTFUL API. Is this possible?

[ad...@establishmindfulness.com]

REQUEST:

Please can you add JsafeJCE cipher suite to the securitry provider list in Lucee 4.5. This would bring Lucee 4.5 in line with Adobe Coldfusion 11.

ENVIRONMENT:

I am running Lucee 4.5 with IIS7 on Windows 2008R2.

ISSUE:

I am trying to use OAuth2 with https://api.sandbox.paypal.com/v1/oauth2/token.
For many months it has been issueing tokens without any problems.

Then, PayPal upgraded their certificates and SSL ciphers requirement:

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en

I have updated all my certificates using keytool to cacerts keystore. The error persists.
So I believe this is not a certificate problem.

I believe it is a problem with the security provider list bundled with JRE.
It does not contain the required cipher suite.

Interestingly, I updated my local testing environment from Adobe Coldfusion [ACF] 10 to ACF 11, and the problem dissappeared.
I noticed that the security provider list is much more extensive in ACF11, and includes a beefed up JsafeJCE cipher suite. JsafeJCE is the default security provider in ACF11.

I am using Railo/Lucee on my production server. It is the most up to date version of this application server.

I am getting the following error, when trying to obtain a PayPal RESTFUL API token on my production server:

Cause   
string    javax.net.ssl.SSLHandshakeException   
   
url   
string    https://api.sandbox.paypal.com/v1/oauth2/token   
   
Detail   
string       
   
ErrorCode   
string    0   
   
Extended_Info   
string       
   
ExtendedInfo   
string       
   
Message   
string    Received fatal alert: handshake_failure   
   
StackTrace   
string    Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192):192 at sun.security.ssl.Alerts.getSSLException(Alerts.java:154):154 at

sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959):1959 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077):1077 at

sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312):1312 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339):1339 at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323):1323 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket

(SSLConnectionSocketFactory.java:394):394 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353):353 at

org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134):134 at

org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353):353 at org.apache.http.impl.execchain.MainClientExec.establishRoute

(MainClientExec.java:380):380 at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236):236 at org.apache.http.impl.execchain.ProtocolExec.execute

(ProtocolExec.java:184):184 at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88):88 at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110):110 at

org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184):184 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82):82 at

lucee.runtime.tag.Executor41.execute(Http41.java:1494):1494 at lucee.runtime.tag.Executor41.run(Http41.java:1482):1482

https://groups.google.com/forum/#!msg/railo/b_2qteKb7k0/wy9K3zMgXqMJ

[Nando Breiter]

Although I have not tried it, I have a hunch you could add the latest JsafeJCE cipher suite using java.security.Security.addProvider()

something like

var sec = createObject("java", "java.security.Security");

var JsafeJCE = ... ;

sec.addProvider(JsafeJCE);

You'll find an example in one of Ben Nadel's blog posts: 

http://www.bennadel.com/blog/2941-experimenting-with-rsa-encrypted-signature-generation-and-verification-in-coldfusion.htm

Aria Media Sagl

+41 (0)76 303 4477 cell
skype: ariamedia

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/a277a191-17fd-43fe-989f-28368d476c21%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pete Freitag]

What version of Java are you running? The standard / default Java JCE is updated when you update your JVM. I was able to hit the url no problem with Java 1.8.0_45 running Lucee.

The RSA JSafe JCE is a commercial product that Adobe licenses and bundles with Enterprise Edition of ColdFusion (since version 7 or 8). So if you wanted to use it with Lucee you would have to purchase a license for it.

--

Pete Freitag
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner

--

[ad...@establishmindfulness.com]

Thanks Pete for this answer.

I actually tried this fix, without success and a similar one suggested by Raymond Camden:

http://www.raymondcamden.com/2011/01/12/Diagnosing-a-CFHTTP-issue-peer-not-authenticated/

Infact, PayPal's new security policy requires JSafeJCE. CF10 update 17 & CF11 have a more extensive set of cyphers in the JSafeJCE suiite than previous versions. These are required for PayPal's RESTFUL API.

The only solution was to install CF11, as my CF10 updater kept throwing update installer errors.

On my remote server, I tried updating Railo 4.2+ to Lucee 4.5. The update was successful, but the JRE was not fully updated, but did not break the application server.
In the end, I tried a clean install of Lucee 4.5, and my PayPal connection was restored successfullly once more.

But, I guess different problems require slightly different solutions!

Cheers anyway for your help...

[ad...@establishmindfulness.com]

Nando, I tried this with no luck. In the end I found out that only CF10 update 17 and CF11 contain the updated JSafeJCE cypher suite. I ended up installing CF11 and everything worked again. On my production server, I uninstalled Railo 4.2+ and did a clean install of Lucee 4.5. And everything worked again.

By the way, the link you added to Ben Nadel's blog, is very interesting. That guy is great. Easy to understand...

Thanks for your suggestion anyway.

[ad...@establishmindfulness.com]

One other thing I wanted to ask, is do you know how I issue Java debug commands in Lucee.
Can I add to Lucee Tomcat console -> Java:

-Djavax.net.debug=ssl:handshake

And where would I view the debug output? This would have been really useful in relation to this issue?